Backoff PoS malware was active from 2013 into 2014, reportedly impacting 1,000 US businesses. The hackers used brute force techniques to gain access to victims’ remote desktop servers in order to install the malware. Backoff uses its RAM scraper to harvest the payment card data and then transmits it back to the hacker over HTTP (port 80). Its C2 servers were reportedly connected to the same servers used to host other malware such as Zeus, SpyEye, and Citadel. Three variants of the Backoff PoS malware include: 1.4, 1.55 (aka ‘goo’, ‘MAY’, and ‘net’), and 1.56 (aka ‘LAST’). Researchers have found that earlier variants of Backoff included a malicious stub that is injected into the Windows explorer process to maintain persistence, but more recent variants dropped that capability in favor of a keylogging feature. Backoff also has the ability to uninstall prior versions of itself. It is unclear if this PoS malware remains active today.

Technical Details

  • The U.S. Computer Emergency Readiness Team (US-CERT) offers a detailed breakdown of each Backoff variant, including a list of the IOCs and mitigation strategies, here.
  • Trustwave provided technical analysis of the Backoff malware family on their SpiderLabs Blog, available here.

One example of the Backoff POS malware. Image Source: Softpedia